diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index e29865d04..67f3e83c7 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -94,6 +94,7 @@ def __call__(self, request): except: pass + if bool(request.body): try: @@ -108,11 +109,21 @@ def __call__(self, request): data = request.POST for key, value in data.items(): + valueAlreadyChecked = 0 + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Key being scanned {str(key)}') + logging.writeToFile(f'Value being scanned {str(value)}') + if request.path.find('gitNotify') > -1: break + if type(value) == str or type(value) == bytes: pass elif type(value) == list: + valueAlreadyChecked = 1 + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Item type detected as list') for items in value: if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find( '&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \ @@ -157,20 +168,22 @@ def __call__(self, request): or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow': continue - if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find( - '&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ - or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find( - ")") > -1 \ - or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( - "{") > -1 or value.find("}") > -1 \ - or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find( - "&") > -1: - logging.writeToFile(request.body) - final_dic = { - 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", - "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} - final_json = json.dumps(final_dic) - return HttpResponse(final_json) + + if valueAlreadyChecked == 0: + if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find( + '&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ + or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find( + ")") > -1 \ + or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( + "{") > -1 or value.find("}") > -1 \ + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find( + "&") > -1: + logging.writeToFile(request.body) + final_dic = { + 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", + "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \ or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(